ES2552675A1 - Routing method with security and authentication at the frame level (Machine-translation by Google Translate, not legally binding) - Google Patents

Routing method with security and authentication at the frame level (Machine-translation by Google Translate, not legally binding) Download PDF

Info

Publication number
ES2552675A1
ES2552675A1 ES201430822A ES201430822A ES2552675A1 ES 2552675 A1 ES2552675 A1 ES 2552675A1 ES 201430822 A ES201430822 A ES 201430822A ES 201430822 A ES201430822 A ES 201430822A ES 2552675 A1 ES2552675 A1 ES 2552675A1
Authority
ES
Spain
Prior art keywords
access
user
addresses
network
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
ES201430822A
Other languages
Spanish (es)
Other versions
ES2552675B1 (en
Inventor
José Antonio ENRIQUE SALPICO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tecteco Security Systems Sl
Original Assignee
Tecteco Security Systems S L
Tecteco Security Systems Sl
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US15/314,381 priority Critical patent/US20170230350A1/en
Application filed by Tecteco Security Systems S L, Tecteco Security Systems Sl filed Critical Tecteco Security Systems S L
Priority to ES201430822A priority patent/ES2552675B1/en
Priority to PCT/ES2015/070423 priority patent/WO2015181431A1/en
Priority to ES15735721.1T priority patent/ES2673938T3/en
Priority to EP15738129.4A priority patent/EP3151506A1/en
Priority to MX2016015592A priority patent/MX359691B/en
Priority to KR1020167035995A priority patent/KR20170016878A/en
Priority to KR1020167035695A priority patent/KR20170013298A/en
Priority to PCT/ES2015/070422 priority patent/WO2015181430A1/en
Priority to PT157357211T priority patent/PT3151505T/en
Priority to US15/314,725 priority patent/US10257186B2/en
Priority to PCT/ES2015/070421 priority patent/WO2015181429A1/en
Priority to KR1020167035843A priority patent/KR20170015340A/en
Priority to EP15735721.1A priority patent/EP3151505B1/en
Priority to US15/314,915 priority patent/US10129246B2/en
Priority to EP15735720.3A priority patent/EP3151144A1/en
Priority to AU2015265782A priority patent/AU2015265782B2/en
Priority to CA2950677A priority patent/CA2950677A1/en
Publication of ES2552675A1 publication Critical patent/ES2552675A1/en
Application granted granted Critical
Publication of ES2552675B1 publication Critical patent/ES2552675B1/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/168Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] specially adapted for link layer protocols, e.g. asynchronous transfer mode [ATM], synchronous optical network [SONET] or point-to-point protocol [PPP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/326Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the transport layer [OSI layer 4]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/324Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the data link layer [OSI layer 2], e.g. HDLC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Routing method with security and authentication at the level of frames. It discloses a routing method to be implemented in the firmware of a router that provides greater security at low cost since it works, substantially, at the level of layer 2 of the osi model. The described router incorporates various levels of security in which it comprises a first stage (1) of mac address detection (10), a second stage (2) of authorization of mac addresses (10), a third stage (3) of authorizations of users for said mac address and optional higher level protections such as, for example, a fourth stage (3) of time restrictions, a fifth stage (5) of additional restrictions such as port blocking, protocols, web pages, among others . (Machine-translation by Google Translate, not legally binding)

Description

METODO DE ENRUTAMIENTO CON SEGURIDAD Y AUTENTIFICACION A NIVEL DEMETHOD OF ROUTING WITH SAFETY AND AUTHENTICATION AT LEVEL OF

TRAMASFRAMES

D E S C R I P C I O ND E S C R I P C I O N

55

OBJETO DE LA INVENCIONOBJECT OF THE INVENTION

La presente invention da a conocer un metodo de enrutamiento de senales en una red de datos. Mas espetificamente, la presente invencion da a conocer un metodo de enrutamiento 10 que incorpora mejoras de seguridad a nivel de tramas (capa 2 del modelo OSI, por las siglas de la expresion inglesa "Open System Interconnection”, en espanol "Sistema de Interconexion Abierto”).The present invention discloses a method of routing signals in a data network. More specifically, the present invention discloses a routing method 10 that incorporates security improvements at the frame level (layer 2 of the OSI model, by the acronym of the English expression "Open System Interconnection", in Spanish "Open Interconnection System ").

ANTECEDENTES DE LA INVENCIONBACKGROUND OF THE INVENTION

15fifteen

Son conocidos en la tecnica diversos metodos de enrutamiento de senales e, incluso, algunos de dichos mecanismos incorporan complejos algoritmos de seguridad para que la interconexion entre los dispositivos de una red sea unicamente para los usuarios que deberian formar parte de la misma.Various methods of signal routing are known in the art and, even, some of said mechanisms incorporate complex security algorithms so that the interconnection between the devices of a network is only for the users who should be part of it.

20twenty

Habitualmente, dicha identification de usuarios se realiza a nivel de la capa 3 del modelo OSI, es decir, mediante direcciones IP (por las siglas de la expresion inglesa "Internet Protocol”, en espanol "Protocolo de Internet”) o en capas superiores a esta. Por tanto, los dispositivos encargados del enrutamiento y la previa identificacion de seguridad, deben contar con 25 dispositivos capaces de interpretar, como mmimo, datos a nivel de la capa 3 del modelo OSI.Usually, said user identification is carried out at the level of layer 3 of the OSI model, that is, by means of IP addresses (by the acronym of the English expression "Internet Protocol", in Spanish "Internet Protocol") or in layers higher than is. Therefore, the devices responsible for routing and prior security identification must have 25 devices capable of interpreting, at a minimum, data at the level of layer 3 of the OSI model.

Ademas, la identificacion a partir de direcciones IP resulta insuficiente para garantizar la identificacion de un usuario en cuanto a que cualquier usuario mediante un dispositivo cualquiera puede configurar su direction IP sin necesidad de tener un conocimiento extensivo 30 en redes de ordenadores. Esto hace que las direcciones IP sean facilmente suplantables.In addition, the identification from IP addresses is insufficient to guarantee the identification of a user in that any user through any device can configure their IP address without having extensive knowledge in computer networks. This makes IP addresses easily supplantable.

Para solucionar estos problemas de la tecnica anterior, se han desarrollado diversos metodos de comunicacion para mejorar la seguridad de los enrutadores existentes. En particular, el documento EP1170925 da a conocer un metodo de comunicacion entre dispositivos que utilizaTo solve these problems of the prior art, various communication methods have been developed to improve the security of existing routers. In particular, document EP1170925 discloses a method of communication between devices that it uses

vectores de acceso almacenados en una tabla de direcciones en el que los vectores comprenden datos indicativos de si la direccion MAC (por las siglas de la expresion en ingles "Media Access Control”, en espanol "Control de Acceso al Medio”) de un nodo puede comunicarse con la direccion MAC de otro. En definitiva, este documento da a conocer un 5 metodo que detecta si un nodo tiene permiso para enviar informacion a otro en base a las direcciones MAC de ambos nodos pero no da a conocer la posibilidad de utilizar estas direcciones MAC para acceder a una red determinada.access vectors stored in an address table in which the vectors comprise data indicative of whether the MAC address (for the acronym in English "Media Access Control") of a node You can communicate with the MAC address of another. In short, this document discloses a method that detects if a node has permission to send information to another based on the MAC addresses of both nodes but does not disclose the possibility of using these MAC addresses to access a particular network .

Por otra parte, el documento US8316438 da a conocer un sistema en el que un ordenador 10 personal, que dispone de una direccion MAC determinada, al enviar datos a un Gateway pasan por un adaptador de red que determina los permisos para transmision de informacion para dicho ordenador portatil y realiza el bloqueo de dicha senal o, por el contrario, permite la transferencia de datos. Por tanto, este documento da a conocer que es posible disponer de un adaptador de red intermedio de bajo coste que funciona en la capa 2 del modelo OSI para filtrar 15 la entrada de usuarios a la red. Sin embargo, entre otros problemas, la red requeriria la incorporation de multiples adaptadores de red para efectuar este filtrado y la configuration de un nuevo usuario requeriria reconfigurar todos los adaptadores de red del sistema, lo que hace que el sistema sea poco practico. Ademas, bastaria con hacerse con un ordenador cuya direccion MAC este incorporada en los adaptadores de red para acceder a la misma.On the other hand, document US8316438 discloses a system in which a personal computer 10, which has a specific MAC address, when sending data to a Gateway passes through a network adapter that determines the permissions for transmission of information for said portable computer and performs the blocking of said signal or, on the contrary, allows the transfer of data. Therefore, this document discloses that it is possible to have a low-cost intermediate network adapter that works in layer 2 of the OSI model to filter the entry of users to the network. However, among other problems, the network would require the incorporation of multiple network adapters to perform this filtering and the configuration of a new user would require reconfiguring all the network adapters in the system, which makes the system impractical. In addition, it would be enough to get a computer whose MAC address is incorporated into the network adapters to access it.

20twenty

DESCRIPCION DE LA INVENCIONDESCRIPTION OF THE INVENTION

Por tanto, existe una necesidad de incorporar un sistema de seguridad que, por una parte, represente un bajo coste computacional y, por otra, aumente la seguridad de las redes 25 bloqueando los usuarios no autorizados y permitiendo que dicha tabla de usuarios se pueda actualizar facilmente.Therefore, there is a need to incorporate a security system that, on the one hand, represents a low computational cost and, on the other, increases the security of networks 25 by blocking unauthorized users and allowing said user table to be updated. easily.

La presente invention da a conocer un metodo de enrutamiento que se puede incorporar en el enrutador mediante su firmware y que, al funcionar a nivel de la capa 2 del modelo OSI 30 representa un bajo coste computacional y permite mejorar ostensiblemente las prestaciones de los enrutadores actuales sin necesidad de modificar las redes existentes anadiendo nuevo hardware.The present invention discloses a routing method that can be incorporated into the router by means of its firmware and which, operating at the level of layer 2 of the OSI 30 model represents a low computational cost and allows to significantly improve the performance of current routers No need to modify existing networks by adding new hardware.

La presente invencion da a conocer un metodo de enrutamiento de senales en un enrutadorThe present invention discloses a method of signal routing in a router

55

1010

15fifteen

20twenty

2525

que comprende:which includes:

• medios de conexion a una serie de dispositivos;• means of connection to a series of devices;

• una tabla de direcciones de usuarios permitidos; y• a table of allowed user addresses; Y

• una tabla de autorizacion de usuarios;• a user authorization table;

en el que la tabla de direcciones de usuarios permitidos comprende direcciones MAC de dispositivos con permiso de acceso a la red, y en el que la tabla de autorizacion de usuarios comprende una serie de datos de identificacion de usuarios permitidos relacionados a, al menos una, direction MAC y que comprende las etapas de:in which the table of allowed user addresses comprises MAC addresses of devices with permission to access the network, and in which the user authorization table comprises a series of identification data of allowed users related to at least one, MAC address and comprising the steps of:

a) determinar la direccion MAC del dispositivo que se pretende conectar al enrutador;a) determine the MAC address of the device to be connected to the router;

b) identificar si la direccion MAC determinada en la etapa a) esta en la tabla de direcciones de usuarios permitidos; yb) identify if the MAC address determined in step a) is in the table of allowed user addresses; Y

c) otorgar un nivel de acceso a la red;c) grant a level of access to the network;

en el que si en la etapa b) se identifica que la direccion MAC esta en la tabla de direcciones de usuarios permitidos, se inicia una etapa b1) de lectura de los datos de identification de usuarios permitidos para dicha direccion MAC a partir de la tabla de autorizacion de usuarios y un etapa b2) de identificacion del usuario en la que se solicitan al dispositivo datos de identificacion de usuario y compara dichos datos de identificacion de usuario con los datos leidos en la etapa b1).in which if in step b) it is identified that the MAC address is in the table of allowed user addresses, a step b1) of reading the identification data of allowed users for said MAC address is started from the table of user authorization and a step b2) of user identification in which the user identification data is requested from the device and compares said user identification data with the data read in step b1).

En cuanto a los niveles de acceso, la presente invention contempla tres niveles principales: un primer nivel de denegacion de acceso en el que se impide completamente el acceso a la red; un segundo nivel de autorizacion parcial en el que se otorga acceso a, al menos, parte de la red, por ejemplo unicamente a intranet; y un tercer nivel en el que se otorga acceso total a la red. Sin embargo, en el ambito de la presente invencion se pueden incorporar otros tipos de niveles sin alejarse del ambito de protection de la presente invencion.As regards access levels, the present invention contemplates three main levels: a first level of access denial in which access to the network is completely prevented; a second level of partial authorization in which access to at least part of the network is granted, for example only to the intranet; and a third level in which full access to the network is granted. However, other types of levels may be incorporated within the scope of the present invention without departing from the scope of protection of the present invention.

Preferentemente, la presente invencion contempla que si, en la etapa b), se identifica que la direccion MAC no corresponde a ninguna de las direcciones de la tabla de direcciones de usuarios permitidos, en la etapa c) se deniega el acceso a la red.Preferably, the present invention contemplates that if, in step b), it is identified that the MAC address does not correspond to any of the addresses in the table of allowed user addresses, in step c) access to the network is denied.

Preferentemente, si en la etapa b) se identifica que la direccion MAC corresponde a una de las direcciones de la tabla de direcciones de usuarios permitidos y en la etapa b2) se identifica que datos de identificacion de usuario corresponden con uno de los datos de identificacion leidos enPreferably, if in step b) it is identified that the MAC address corresponds to one of the addresses in the table of allowed user addresses and in step b2) it is identified that user identification data corresponds to one of the identification data read in

la etapa b1), en la etapa c) se otorga acceso a, al menos, parte de la red.stage b1), in stage c) access to at least part of the network is granted.

Ademas, en el determinado caso en que la direction MAC del equipo no corresponda con ninguna de las direcciones dispuestas en la tabla de direcciones de usuarios permitidos o que 5 los datos de identification del usuario leidos en la etapa b1) no correspondan con los datos de identification de usuarios permitidos almacenados en la tabla de autorizacion de usuarios para la direccion MAC del usuario, en la etapa c) se otorga un acceso restringido a la red o, incluso, se podria denegar el acceso (2000) a la red.In addition, in the case in which the MAC address of the device does not correspond to any of the addresses provided in the table of allowed user addresses or that the user identification data read in step b1) does not correspond to the data of identification of allowed users stored in the user authorization table for the MAC address of the user, in step c) a restricted access to the network is granted or even access (2000) to the network could be denied.

10 En cuanto al acceso restringido a la red, este acceso restringido se puede interpretar, particularmente, como unicamente la reception de datos, unicamente el acceso a intranet (por ejemplo, para conectarse con impresoras, escaner, etc.) y/o unicamente para envio de datos sin recepcion de los mismos.10 With regard to restricted access to the network, this restricted access can be interpreted, in particular, as only the reception of data, only access to the intranet (for example, to connect to printers, scanners, etc.) and / or only to Sending data without receiving them.

15 Adicionalmente, el enrutador puede comprender una variable de control adicional que se basa en una tabla de restricciones y una etapa e) en la que para al menos uno de los usuarios de la tabla de autorizacion de usuarios, se disponen unas restricciones de acceso. Dichas restricciones pueden ser, por ejemplo, una restriction de acceso horario en las que, en la etapa c) se permite acceso a la red, una restriccion a paginas web en las que, en la etapa c) seAdditionally, the router may comprise an additional control variable that is based on a restriction table and a stage e) in which for at least one of the users of the user authorization table, access restrictions are provided. Such restrictions may be, for example, a restriction of hourly access in which, in stage c) access to the network is allowed, a restriction to web pages in which, in stage c)

20 deniega acceso a al menos una pagina web, una restriccion de protocolos, en la que en la etapa c) se deniega la comunicacion mediante, al menos un, protocolo (por ejemplo, el protocolo FTP, cuyas siglas provienen de la expresion en ingles "File Transfer Protocol”), una restriccion de puertos, en la que en la etapa c) se deniega la comunicacion mediante, al menos un, puerto, etc.20 denies access to at least one web page, a restriction of protocols, in which in stage c) communication is denied by at least one protocol (for example, the FTP protocol, whose acronym comes from the expression in English "File Transfer Protocol"), a restriction of ports, in which in stage c) the communication is denied by at least one port, etc.

2525

Por otra parte, la presente invention tambien se refiere a un enrutador que ejecuta un metodo de enrutamiento del tipo explicado anteriormente.On the other hand, the present invention also relates to a router that executes a routing method of the type explained above.

DESCRIPCION DE LOS DIBUJOSDESCRIPTION OF THE DRAWINGS

3030

Para complementar la description que se esta realizando y con objeto de ayudar a una mejor comprension de las caracteristicas de la invencion, de acuerdo con un ejemplo preferente de realization practica de la misma, se acompana como parte integrante de dicha descripcion, un juego de dibujos en donde con caracter ilustrativo y no limitativo, se ha representado loTo complement the description that is being made and in order to help a better understanding of the features of the invention, according to a preferred example of practical realization thereof, a set of drawings is accompanied as an integral part of said description. where, with an illustrative and non-limiting nature, the

siguiente:next:

La figura 1 muestra una vista esquematica de un flujo de comunicaciones en una realization preferente de la presente invention.Figure 1 shows a schematic view of a communication flow in a preferred embodiment of the present invention.

55

La figura 2 muestra un diagrama de flujo que indica el funcionamiento de un metodo de enrutamiento segun la presente invencion.Figure 2 shows a flow chart indicating the operation of a routing method according to the present invention.

REALIZACION PREFERENTE DE LA INVENCIONPREFERRED EMBODIMENT OF THE INVENTION

1010

La figura 1 muestra una realizacion preferente de la presente invencion. En particular, la figura 1 muestra una primera realizacion en la que el enrutador se encuentra conectado a una serie de dispositivos usuarios (101, 102, 103, 104), disponiendo cada uno de dichos dispositivos usuarios (101, 102, 103, 104) una direction MAC.Figure 1 shows a preferred embodiment of the present invention. In particular, Figure 1 shows a first embodiment in which the router is connected to a series of user devices (101, 102, 103, 104), each of said user devices (101, 102, 103, 104) a MAC address.

15fifteen

Inicialmente, el enrutador de la figura 1 detecta, en una primera etapa (1) la direccion MAC (10) del dispositivo activo (101), esto es, uno de los dispositivos de la serie de dispositivos usuarios (101, 102, 103, 104) que pretende hacer uso de la red. Posteriormente, en una segunda etapa (2) realiza una autorizacion de la direccion MAC (10) del dispositivo activo 20 (101), es decir, determina si la direccion MAC (10) de dicho dispositivo corresponde conInitially, the router of Figure 1 detects, in a first stage (1) the MAC address (10) of the active device (101), that is, one of the devices of the series of user devices (101, 102, 103, 104) who intends to make use of the network. Subsequently, in a second stage (2) it performs an authorization of the MAC address (10) of the active device 20 (101), that is, it determines whether the MAC address (10) of said device corresponds to

alguna de las direcciones MAC almacenadas en una tabla de direcciones de usuarios permitidos del enrutador. Si se realiza la autorizacion MAC (21), es decir, se determina que la direccion MAC (10) del dispositivo corresponde con alguna de las direcciones almacenadas en el enrutador, entonces se procede a dar paso a una tercera etapa (3) en la 25 que se realiza una autorizacion de usuario. En caso contrario, se deniega el acceso (2000).any of the MAC addresses stored in a table of allowed user addresses of the router. If the MAC authorization (21) is carried out, that is, it is determined that the MAC address (10) of the device corresponds to any of the addresses stored in the router, then a third stage (3) is given step in the 25 that a user authorization is made. Otherwise, access is denied (2000).

En dicha tercera etapa (3) se pretende identificar al usuario que esta haciendo uso del equipo autorizado para entrar a la red, sin embargo, en realizaciones particulares de la presente invencion, esta autorizacion no es necesaria para todas las direcciones MAC de los 30 dispositivos usuarios en cuanto a que habra dispositivos como, por ejemplo, impresoras, fax, escaner, etc. para los que no hace falta realizar esta autorizacion de usuario.In said third stage (3) it is intended to identify the user who is using the authorized equipment to enter the network, however, in particular embodiments of the present invention, this authorization is not necessary for all MAC addresses of the 30 devices users in terms of devices such as printers, fax machines, scanners, etc. For those who do not need to perform this user authorization.

Sin embargo, la presente invencion contempla que el enrutador comprende una tabla de autorizacion de usuarios en la que, para al menos una de las direcciones MAC almacenadasHowever, the present invention contemplates that the router comprises a user authorization table in which, for at least one of the stored MAC addresses

55

1010

15fifteen

20twenty

2525

3030

en la tabla de direcciones de usuarios permitidos, se dispone de al menos un nombre de usuario y una contrasena para identificar, ademas del equipo que se conecta a la red, al usuario que esta haciendo uso de ese equipo.in the table of allowed user addresses, at least one username and password are available to identify, in addition to the equipment that is connected to the network, the user who is making use of that equipment.

De manera que si se ha realizado la identification del usuario (31), se procede a una cuarta etapa (4) de restriction horaria y, en caso de una identificacion incorrecta (31) se procede a denegar el acceso (2000) a la red.So if the user identification (31) has been carried out, a fourth stage (4) of time restriction is carried out and, in case of an incorrect identification (31), the access (2000) to the network is denied .

En cuanto a la cuarta etapa (4) de restriccion horaria, la realization de la figura 1 contempla que para al menos uno de los usuarios exista un parametro de restriccion horaria que puede ser implementado como un parametro adicional de la tabla de autorizacion de usuarios o como una tabla independiente de restricciones horarias.Regarding the fourth stage (4) of time restriction, the realization of Figure 1 contemplates that for at least one of the users there is a time restriction parameter that can be implemented as an additional parameter of the user authorization table or as an independent table of time restrictions.

Esta restriccion horaria pretende que, en el enrutador, se disponga de permisos determinados para cada uno de los usuarios, por ejemplo, uno de los usuarios debe tener acceso unicamente durante parte de la jornada laboral a ciertos recursos como impresoras, etc. para organizar el trabajo en una oficina o, en otro ejemplo, se puede disponer de un control infantil de manera que si se accede con la contrasena de un usuario infantil solo se tiene acceso a internet hasta una hora determinada y, una vez se excede dicha hora, se tiene un acceso restringido a los recursos. En el caso del control infantil, este acceso restringido a recursos puede ser, por ejemplo, que no se tiene acceso a internet pero si a los recursos de la red interna tales como impresoras, escaner, etc.This time restriction means that, on the router, certain permissions are available for each of the users, for example, one of the users must have access only during part of the working day to certain resources such as printers, etc. to organize the work in an office or, in another example, a child control can be available so that if you access with the password of a child user you only have access to the internet until a certain time and, once this is exceeded Now, you have restricted access to resources. In the case of child control, this restricted access to resources can be, for example, that there is no access to the internet but to internal network resources such as printers, scanners, etc.

Adicionalmente, la presente invention contempla que, ademas de la restriccion horaria, el metodo de la presente invencion permite incorporar mecanismos adicionales de restriccion como, por ejemplo, una quinta etapa (5) en la que se disponen restricciones adicionales, tales como, restringir el acceso mediante ciertos puertos, protocolos de comunicacion, a ciertas paginas web, entre otros.Additionally, the present invention contemplates that, in addition to the time restriction, the method of the present invention allows the incorporation of additional restriction mechanisms such as, for example, a fifth stage (5) in which additional restrictions are provided, such as, restricting the access through certain ports, communication protocols, to certain web pages, among others.

Una vez se ha definido el nivel de acceso para el usuario y si se determina que no dispone de restriccion alguna se le puede otorgar acceso a la red (1000). En caso contrario, se deniega el acceso (2000)Once the level of access for the user has been defined and if it is determined that there is no restriction, it can be granted access to the network (1000). Otherwise, access is denied (2000)

La figura 2 muestra un diagrama de flujo de una segunda realizacion de la presenteFigure 2 shows a flow chart of a second embodiment of the present

invention.invention.

En dicha realization, se dispone una primera etapa (1) de entrada de datos, en esta caso, se disponen como entradas al diagrama de flujo la direction MAC del dispositivo que 5 pretende conectarse a la red, y datos de configuration que comprenden una tabla de direcciones de usuarios permitidos, una tabla de autorizacion de usuarios y, en este ejemplo particular, se dispone una tabla de restriction horaria y una tabla de restricciones adicionales.In said embodiment, a first step (1) of data entry is provided, in this case, the MAC address of the device that is intended to be connected to the network, and configuration data comprising a table are arranged as inputs to the flow chart. of allowed user addresses, a user authorization table and, in this particular example, a time restriction table and an additional restrictions table are provided.

10 Una vez se detectan los datos de entrada, se procede a una segunda etapa (2) de autorizacion MAC en la que se determina si la direccion MAC de la primera etapa (1) corresponde con una de las direcciones MAC de la tabla de direcciones de usuarios permitidos. Si dicha direccion MAC corresponde a una de las direcciones almacenadas en la tabla de direcciones de usuarios permitidos, mediante un primer operador de decision (200),10 Once the input data is detected, a second MAC authorization stage (2) is carried out in which it is determined whether the MAC address of the first stage (1) corresponds to one of the MAC addresses of the address table of allowed users. If said MAC address corresponds to one of the addresses stored in the table of allowed user addresses, by means of a first decision operator (200),

15 la direccion MAC corresponde (202) con una de las direcciones almacenadas, se procede a una tercera etapa (3) de autorizacion de usuarios. Si se determina que la no- correspondencia (201) de la direccion MAC con las direcciones almacenadas, se procede a denegar el acceso (2000) a la red.15 MAC address corresponds (202) with one of the stored addresses, we proceed to a third stage (3) of user authorization. If it is determined that the non-correspondence (201) of the MAC address with the stored addresses, the access (2000) to the network is denied.

20 En la tercera etapa (3) se procede a realizar la autorizacion del usuario, es decir, se realiza al usuario una interrogation de un par nombre de usuario-contrasena. Posteriormente, si el par nombre de usuario-contrasena corresponden con los almacenados en la tabla de autorizacion de usuarios para dicha direccion MAC se determina la autenticacion (303) del usuario y, de lo contrario, se determina que no se ha autenticado un usuario autorizado y se20 In the third stage (3) the authorization of the user is carried out, that is, the user is interrogated for a username-password pair. Subsequently, if the username-password pair corresponds to those stored in the user authorization table for said MAC address, the authentication (303) of the user is determined and, otherwise, it is determined that an authorized user has not been authenticated and

25 puede proceder de dos maneras diferentes, una primera forma de actuation (301) en la que se da acceso restringido (3000) al usuario, por ejemplo, unicamente a intranet y, una segunda forma de actuacion (302) en la que procede a denegar el acceso (2000) a la red por no-autenticacion.25 can proceed in two different ways, a first form of actuation (301) in which restricted access (3000) is given to the user, for example, only to the intranet and, a second form of actuation (302) in which it proceeds to Deny access (2000) to the network for non-authentication.

30 Tras la autenticacion (303) del usuario se procede a determinar si para dicho usuario se ha definido alguna restriccion horaria mediante una cuarta etapa (4). De alli mediante un operador logico de decision se determina que es un usuario con restriccion horaria para lo que se puede escoger una primera actuacion (401) denegando el acceso o una segunda actuacion (402) otorgando un acceso restringido (3000) al usuario.After the authentication (303) of the user, it is determined whether a time restriction has been defined for said user by means of a fourth stage (4). From there, through a logical decision operator, it is determined that it is a user with a time restriction for which a first action (401) can be chosen denying access or a second action (402) granting restricted access (3000) to the user.

Si se determina que es un usuario sin restriccion horaria se procede a autorizar (403) el acceso sin restricciones horarias para el usuario.If it is determined that it is a user without time restriction, the access without time restrictions for the user is authorized (403).

Finalmente, la presente invencion contempla una quinta etapa (5) de restricciones 5 adicionales en la que se determina si para dicho usuario hay restricciones adicionales. Si se determina la existencia de una restriccion adicional (501) se otorga acceso restringido (3000) al usuario y si es un usuario para el cual se ha determinado la no-existencia de restricciones adicionales (502) se otorga acceso a la red (1000).Finally, the present invention contemplates a fifth stage (5) of additional restrictions 5 in which it is determined whether there are additional restrictions for said user. If the existence of an additional restriction (501) is determined, restricted access (3000) is granted to the user and if it is a user for whom the non-existence of additional restrictions (502) has been determined, access to the network is granted (1000 ).

10 Con el fin de otorgar mayor claridad a la presente description, la definition de acceso restringido (3000) a la red se refiere a que existe un bloqueo parcial (301), por ejemplo, se otorga acceso unicamente a internet, se deniega el acceso a protocolos determinados (por ejemplo, FTP), se deniega el acceso a determinadas paginas web, se bloquean ciertos puertos, etc. Adicionalmente, cuando se menciona que se deniega el acceso (2000) se 15 refiere a que se realiza un bloqueo total (2001) impidiendo la comunicacion del usuario, tanto con los dispositivos de la red, como con una red externa tal como internet.10 In order to give greater clarity to the present description, the definition of restricted access (3000) to the network refers to the existence of a partial block (301), for example, access to the internet is granted only, access is denied to certain protocols (for example, FTP), access to certain web pages is denied, certain ports are blocked, etc. Additionally, when it is mentioned that access is denied (2000), it refers to a complete block (2001) preventing the user's communication, both with the network devices, and with an external network such as the internet.

Claims (10)

55 1010 15fifteen 20twenty 2525 3030 R E I V I N D I C A C I O N E SR E I V I N D I C A C I O N E S 1. Metodo de enrutamiento de senales en un enrutador que comprende:1. Signal routing method on a router comprising: • medios de conexion a una serie de dispositivos (101, 102, 103, 104);• connection means to a series of devices (101, 102, 103, 104); • una tabla de direcciones de usuarios permitidos; y• a table of allowed user addresses; Y • una tabla de autorizacion de usuarios;• a user authorization table; en el que la tabla de direcciones de usuarios permitidos comprende direcciones MAC (10) de dispositivos con permiso de acceso a la red caracterizado porque la tabla de autorizacion de usuarios comprende una serie de datos de identification de usuarios permitidos relacionados a, al menos una, direction MAC (10) y porque comprende las etapas de:in which the table of allowed user addresses comprises MAC addresses (10) of devices with permission to access the network characterized in that the user authorization table comprises a series of identification data of allowed users related to at least one, MAC address (10) and because it includes the steps of: a) determinar la direccion MAC (10) del dispositivo que se pretende conectar al enrutador;a) determine the MAC address (10) of the device to be connected to the router; b) identificar si la direccion MAC (10) determinada en la etapa a) esta en la tabla de direcciones de usuarios permitidos; yb) identify if the MAC address (10) determined in step a) is in the table of allowed user addresses; Y c) otorgar o denegar un nivel de acceso a la red;c) grant or deny a level of access to the network; en el que si en la etapa b) se identifica que la direccion MAC (10) esta en la tabla de direcciones de usuarios permitidos, se inicia una etapa b1) de lectura de los datos de identificacion de usuarios permitidos para dicha direccion MAC (10) a partir de la tabla de autorizacion de usuarios y un etapa b2) de identificacion del usuario en la que se solicitan al dispositivo datos de identificacion de usuario y compara dichos datos de identificacion de usuario con los datos leidos en la etapa b1).in which if in step b) it is identified that the MAC address (10) is in the table of allowed user addresses, a step b1) of reading the identification data of allowed users for said MAC address (10) is started ) from the user authorization table and a step b2) of user identification in which the user identification data is requested from the device and compares said user identification data with the data read in step b1). 2. Metodo, segun la reivindicacion 1, caracterizado porque si, en la etapa b), se identifica que la direccion MAC (10) no corresponde a ninguna de las direcciones de la tabla de direcciones de usuarios permitidos, en la etapa c) se deniega el acceso (2000) a la red.2. Method, according to claim 1, characterized in that if, in step b), it is identified that the MAC address (10) does not correspond to any of the addresses in the table of allowed user addresses, in step c) it is Denies access (2000) to the network. 3. Metodo, segun la reivindicacion 1, caracterizado porque, si en la etapa b) se identifica que la direccion MAC (10) corresponde a una de las direcciones de la tabla de direcciones de usuarios permitidos y en la etapa b2) se identifica que datos de identificacion de usuario corresponden con uno de los datos de identificacion leidos en la etapa b1), en la etapa c) se otorga acceso a, al menos, parte de la red3. Method, according to claim 1, characterized in that, if in step b) it is identified that the MAC address (10) corresponds to one of the addresses in the table of allowed user addresses and in step b2) it is identified that User identification data corresponds to one of the identification data read in stage b1), in stage c) access is granted to at least part of the network 4. Metodo, segun la reivindicacion 1, caracterizado porque en la etapa c) se otorga un acceso restringido (3000) a la red.4. Method, according to claim 1, characterized in that in step c) a restricted access (3000) to the network is granted. 5. Metodo, segun la revindication 4, caracterizado porque el acceso restringido (3000) a la red comprende unicamente la reception de datos.5. Method, according to revindication 4, characterized in that the restricted access (3000) to the network comprises only the reception of data. 5 6. Metodo, segun la reivindicacion 1, caracterizado porque el enrutador comprende una tabla5 6. Method according to claim 1, characterized in that the router comprises a table de restricciones y porque comprende una etapa e) en la que para al menos uno de los usuarios de la tabla de autorizacion de usuarios, se disponen unas restricciones de acceso.restrictions and because it includes a stage e) in which for at least one of the users of the user authorization table, access restrictions are provided. 7. Metodo, segun la reivindicacion 6, caracterizado porque dichas restricciones comprenden7. Method, according to claim 6, characterized in that said restrictions comprise 10 una restriction de acceso horario en las que, en la etapa c) se otorga acceso (1000) a la red.10 a restriction of hourly access in which, in step c) access (1000) to the network is granted. 8. Metodo, segun la reivindicacion 6, caracterizado porque dichas restricciones comprenden una restriccion a paginas web en las que, en la etapa c) se deniega acceso a al menos una pagina web.8. Method, according to claim 6, characterized in that said restrictions comprise a restriction to web pages in which, in step c) access to at least one web page is denied. 15fifteen 9. Metodo, segun la reivindicacion 6, caracterizado porque dichas restricciones comprenden una restriccion de protocolos, en la que en la etapa c) se deniega la comunicacion mediante, al menos un, protocolo.9. Method, according to claim 6, characterized in that said restrictions comprise a restriction of protocols, in which in step c) the communication is denied by at least one protocol. 20 10. Metodo, segun la reivindicacion 9 caracterizado porque el al menos un protocolo es el20 10. Method, according to claim 9 characterized in that the at least one protocol is the protocolo FTP.FTP protocol 11. Metodo, segun la reivindicacion 6, caracterizado porque dichas restricciones comprenden una restriccion de puertos, en la que en la etapa c) se deniega la comunicacion mediante, al11. Method, according to claim 6, characterized in that said restrictions comprise a port restriction, in which in step c) the communication is denied by means of 25 menos un, puerto.25 minus one, port. 12. Enrutador que ejecuta un metodo de enrutamiento segun cualquiera de las reivindicaciones 1 a 11.12. Router executing a routing method according to any one of claims 1 to 11.
ES201430822A 2014-05-29 2014-05-29 Routing method with security and frame-level authentication Expired - Fee Related ES2552675B1 (en)

Priority Applications (18)

Application Number Priority Date Filing Date Title
ES201430822A ES2552675B1 (en) 2014-05-29 2014-05-29 Routing method with security and frame-level authentication
US15/314,381 US20170230350A1 (en) 2014-05-29 2014-05-29 Network element and method for improved user authentication in communication networks
EP15735721.1A EP3151505B1 (en) 2014-05-29 2015-05-29 Method and network element for improved access to communications networks
EP15738129.4A EP3151506A1 (en) 2014-05-29 2015-05-29 Improved assignment and distribution of network configuration parameters to devices
MX2016015592A MX359691B (en) 2014-05-29 2015-05-29 Method and network element for improved access to communication networks.
KR1020167035995A KR20170016878A (en) 2014-05-29 2015-05-29 Method and network element for improved user authentication in communication networks
KR1020167035695A KR20170013298A (en) 2014-05-29 2015-05-29 Improved assignment and distribution of network configuration parameters to devices
PCT/ES2015/070422 WO2015181430A1 (en) 2014-05-29 2015-05-29 Improved assignment and distribution of network configuration parameters to devices
PT157357211T PT3151505T (en) 2014-05-29 2015-05-29 Method and network element for improved access to communications networks
US15/314,725 US10257186B2 (en) 2014-05-29 2015-05-29 Method and network element for improved access to communication networks
PCT/ES2015/070423 WO2015181431A1 (en) 2014-05-29 2015-05-29 Method and network element for improved access to communication networks
KR1020167035843A KR20170015340A (en) 2014-05-29 2015-05-29 Method and network element for improved access to communication networks
ES15735721.1T ES2673938T3 (en) 2014-05-29 2015-05-29 Procedure and network element for improved access to communication networks
US15/314,915 US10129246B2 (en) 2014-05-29 2015-05-29 Assignment and distribution of network configuration parameters to devices
EP15735720.3A EP3151144A1 (en) 2014-05-29 2015-05-29 Method and network element for improved user authentication in communication networks
AU2015265782A AU2015265782B2 (en) 2014-05-29 2015-05-29 Method and network element for improved access to communication networks
CA2950677A CA2950677A1 (en) 2014-05-29 2015-05-29 Network element and method for improved access to communication networks
PCT/ES2015/070421 WO2015181429A1 (en) 2014-05-29 2015-05-29 Method and network element for improved user authentication in communication networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
ES201430822A ES2552675B1 (en) 2014-05-29 2014-05-29 Routing method with security and frame-level authentication

Publications (2)

Publication Number Publication Date
ES2552675A1 true ES2552675A1 (en) 2015-12-01
ES2552675B1 ES2552675B1 (en) 2016-10-10

Family

ID=53525204

Family Applications (2)

Application Number Title Priority Date Filing Date
ES201430822A Expired - Fee Related ES2552675B1 (en) 2014-05-29 2014-05-29 Routing method with security and frame-level authentication
ES15735721.1T Active ES2673938T3 (en) 2014-05-29 2015-05-29 Procedure and network element for improved access to communication networks

Family Applications After (1)

Application Number Title Priority Date Filing Date
ES15735721.1T Active ES2673938T3 (en) 2014-05-29 2015-05-29 Procedure and network element for improved access to communication networks

Country Status (9)

Country Link
US (3) US20170230350A1 (en)
EP (3) EP3151505B1 (en)
KR (3) KR20170013298A (en)
AU (1) AU2015265782B2 (en)
CA (1) CA2950677A1 (en)
ES (2) ES2552675B1 (en)
MX (1) MX359691B (en)
PT (1) PT3151505T (en)
WO (3) WO2015181431A1 (en)

Families Citing this family (64)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102014107793B9 (en) * 2014-06-03 2018-05-09 Fujitsu Technology Solutions Intellectual Property Gmbh Method of routing data between computer systems, computer network infrastructure and computer program product
US10114351B2 (en) * 2015-03-05 2018-10-30 Google Llc Smart-home automation system that suggests or autmatically implements selected household policies based on sensed observations
CN106211152B (en) * 2015-04-30 2019-09-06 新华三技术有限公司 A kind of wireless access authentication method and device
EP3304859A1 (en) * 2015-05-26 2018-04-11 Frigerio, Tommaso Telecommunication system for the secure transmission of data therein and device associated therewith
FR3038421B1 (en) * 2015-06-30 2017-08-18 Oberthur Technologies METHOD FOR MANAGING PROFILES IN A SECURE ELEMENT
CN106375102B (en) * 2015-07-22 2019-08-27 华为技术有限公司 A kind of service registration method, application method and relevant apparatus
US10200342B2 (en) * 2015-07-31 2019-02-05 Nicira, Inc. Dynamic configurations based on the dynamic host configuration protocol
CN105162728B (en) * 2015-07-31 2018-07-31 小米科技有限责任公司 Method for network access, equipment and system
US10237351B2 (en) * 2015-11-23 2019-03-19 Dojo-Labs Ltd Sub-networks based security method, apparatus and product
FR3044848B1 (en) * 2015-12-03 2019-08-23 Overkiz METHOD FOR CONFIGURING, CONTROLLING OR SUPERVISING A DOMOTIC FACILITY
US10044674B2 (en) * 2016-01-04 2018-08-07 Afero, Inc. System and method for automatic wireless network authentication in an internet of things (IOT) system
US10212167B2 (en) * 2016-02-27 2019-02-19 Gryphon Online Safety, Inc. Method and system to enable controlled safe internet browsing
US11301572B2 (en) 2016-02-27 2022-04-12 Gryphon Online Safety, Inc. Remotely controlling access to online content
US10440025B2 (en) 2016-06-07 2019-10-08 Gryphon Online Safety, Inc Remotely controlling access to online content
US10353880B2 (en) * 2016-03-14 2019-07-16 Wipro Limited System and method for governing performances of multiple hardware devices
US11108816B2 (en) * 2016-03-17 2021-08-31 Johann Schlamp Constructible automata for internet routes
US10547588B2 (en) * 2016-04-30 2020-01-28 Nicira, Inc. Method of translating a logical switch into a set of network addresses
EP3253020A1 (en) * 2016-06-03 2017-12-06 Gemalto Sa A method and an apparatus for publishing assertions in a distributed database of a mobile telecommunication network
US10645057B2 (en) * 2016-06-22 2020-05-05 Cisco Technology, Inc. Domain name system identification and attribution
US20180013618A1 (en) * 2016-07-11 2018-01-11 Aruba Networks, Inc. Domain name system servers for dynamic host configuration protocol clients
US10397303B1 (en) * 2016-08-29 2019-08-27 Amazon Technologies, Inc. Semantic annotation and translations for devices
DE102016116077A1 (en) 2016-08-29 2018-03-01 Unify Patente Gmbh & Co. Kg A method for assigning a MAC address to a communication device in a network environment and database with MAC addresses
US10097517B2 (en) * 2016-09-01 2018-10-09 Cybersight, Inc. Secure tunnels for the internet of things
US11405201B2 (en) 2016-11-10 2022-08-02 Brickell Cryptology Llc Secure transfer of protected application storage keys with change of trusted computing base
US11398906B2 (en) 2016-11-10 2022-07-26 Brickell Cryptology Llc Confirming receipt of audit records for audited use of a cryptographic key
US10498712B2 (en) 2016-11-10 2019-12-03 Ernest Brickell Balancing public and personal security needs
US10855465B2 (en) 2016-11-10 2020-12-01 Ernest Brickell Audited use of a cryptographic key
US10652245B2 (en) 2017-05-04 2020-05-12 Ernest Brickell External accessibility for network devices
EP3619632A4 (en) * 2017-05-04 2021-04-07 Ernest Brickell Assuring external accessibility for devices on a network
US10348706B2 (en) 2017-05-04 2019-07-09 Ernest Brickell Assuring external accessibility for devices on a network
US10129255B1 (en) 2017-05-12 2018-11-13 International Business Machines Corporation Device authentication with MAC address and time period
US10419445B2 (en) * 2017-07-03 2019-09-17 Sap Se Credential change management system
US10609064B2 (en) * 2017-07-06 2020-03-31 Bank Of America Corporation Network device access control and information security
KR102646526B1 (en) 2017-09-08 2024-03-13 콘비다 와이어리스, 엘엘씨 Automated service enrollment in a machine-to-machine communications network
US10887316B2 (en) 2017-10-27 2021-01-05 Cleverdome, Inc. Software defined network for creating a trusted network system
FR3076142A1 (en) * 2017-12-21 2019-06-28 Bull Sas METHOD AND SERVER OF TOPOLOGICAL ADDRESS ALLOCATION TO NETWORK SWITCHES, COMPUTER PROGRAM AND CLUSTER OF CORRESPONDING SERVERS
US20190215368A1 (en) * 2018-01-06 2019-07-11 Jacqueline Thanh-Thao Do Internet of Things (“IoT”)-Enabled Toothbrush Device to Monitor Human Vital Signs
WO2019194787A1 (en) * 2018-04-02 2019-10-10 Visa International Service Association Real-time entity anomaly detection
US10855674B1 (en) * 2018-05-10 2020-12-01 Microstrategy Incorporated Pre-boot network-based authentication
US11290459B2 (en) * 2018-05-15 2022-03-29 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Granting guest devices access to a network using out-of-band authorization
US11068600B2 (en) * 2018-05-21 2021-07-20 Kct Holdings, Llc Apparatus and method for secure router with layered encryption
US11212178B2 (en) * 2018-06-05 2021-12-28 Toshiba Client Solutions CO., LTD. Control system, electronic device, and control method
US10938821B2 (en) * 2018-10-31 2021-03-02 Dell Products L.P. Remote access controller support registration system
CN109286637B (en) * 2018-11-19 2021-05-14 南京邮电大学 Defense method for D-LinkDir series router configuration interface loophole
US11146565B2 (en) * 2018-11-28 2021-10-12 Motorola Mobility Llc Mobile electronic communications device having multiple device paths
US11075877B2 (en) * 2019-01-11 2021-07-27 Charter Communications Operating, Llc System and method for remotely filtering network traffic of a customer premise device
US11063982B2 (en) * 2019-01-25 2021-07-13 Unisys Corporation Object scope definition for enterprise security management tool
US11218440B2 (en) * 2019-04-30 2022-01-04 Hewlett Packard Enterprise Development Lp Contiguous subnet IP address allocation
CN113692563A (en) * 2019-06-27 2021-11-23 苹果公司 Modifying existing content based on target audience
KR20210065513A (en) * 2019-11-27 2021-06-04 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. Network security configuration of image forming apparatus
JP7419973B2 (en) * 2020-06-01 2024-01-23 トヨタ自動車株式会社 Information processing device, information processing method, program, and mobile device
EP4173232A1 (en) * 2020-06-29 2023-05-03 Illumina, Inc. Temporary cloud provider credentials via secure discovery framework
CN111932780B (en) * 2020-07-11 2022-03-04 南京理工大学 Power management system based on block chain technology
CN114095424A (en) * 2020-08-07 2022-02-25 艾锐势企业有限责任公司 Router, method for router, computer readable medium and device
US11457012B2 (en) * 2020-11-03 2022-09-27 Okta, Inc. Device risk level based on device metadata comparison
US11882452B2 (en) 2020-11-20 2024-01-23 Bank Of America Corporation Monitoring for security threats associated with mobile devices that have been identified and logged
US11361630B1 (en) 2020-11-20 2022-06-14 Bank Of America Corporation Identifying and logging mobile devices posing security threats
US11601399B2 (en) 2021-01-20 2023-03-07 Bank Of America Corporation System and method for detecting forbidden network accesses based on zone connectivity mapping
US11949652B2 (en) 2021-03-31 2024-04-02 Samsung Electronics Co., Ltd. Transmitting router advertisements based on identification information of external devices
KR20220135623A (en) * 2021-03-31 2022-10-07 삼성전자주식회사 Electronic device for allocating ip address of an external electronic device and method for the same
KR102479425B1 (en) * 2021-06-18 2022-12-20 주식회사 이너트론 Method and apparatus for detecting and blocking illegal devices in wired and wireless networks
US11929981B2 (en) * 2021-09-15 2024-03-12 Honeywell International Inc. Batch assignment of IP addresses in a building control network
CN114979738B (en) * 2022-05-17 2023-03-14 深圳市旭联信息技术有限公司 Wireless screen projection method, receiver and storage medium
CN115208683B (en) * 2022-07-26 2023-05-26 北京航天驭星科技有限公司 Authority distribution method and authority distribution device based on space cloud service

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030220994A1 (en) * 2002-02-28 2003-11-27 Chunrong Zhu Wireless network access system and method
US20060137005A1 (en) * 2004-12-16 2006-06-22 Samsung Electronics Co., Ltd. System for and method of authenticating device and user in home network
US20080209071A1 (en) * 2006-12-18 2008-08-28 Fujitsu Limited Network relay method, network relay apparatus, and network relay program
US7568092B1 (en) * 2005-02-09 2009-07-28 Sun Microsystems, Inc. Security policy enforcing DHCP server appliance
US7574202B1 (en) * 2006-07-21 2009-08-11 Airsurf Wireless Inc. System and methods for a secure and segregated computer network
EP2667664A1 (en) * 2012-05-25 2013-11-27 Comcast Cable Communications, LLC Method and devices for providing access to public and private wireless networks

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6393484B1 (en) * 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
US6981143B2 (en) * 2001-11-28 2005-12-27 International Business Machines Corporation System and method for providing connection orientation based access authentication
US7533412B2 (en) * 2002-04-23 2009-05-12 Stmicroelectronics S.A. Processor secured against traps
US7249187B2 (en) * 2002-11-27 2007-07-24 Symantec Corporation Enforcement of compliance with network security policies
US7735114B2 (en) * 2003-09-04 2010-06-08 Foundry Networks, Inc. Multiple tiered network security system, method and apparatus using dynamic user policy assignment
WO2005091159A1 (en) * 2004-03-24 2005-09-29 Exers Technologies. Inc. Authentication system being capable of controlling authority based of user and authenticator.
US20070220252A1 (en) * 2005-06-06 2007-09-20 Sinko Michael J Interactive network access controller
US7966650B2 (en) 2008-02-22 2011-06-21 Sophos Plc Dynamic internet address assignment based on user identity and policy compliance
US8891358B2 (en) * 2008-10-16 2014-11-18 Hewlett-Packard Development Company, L.P. Method for application broadcast forwarding for routers running redundancy protocols
US9047458B2 (en) * 2009-06-19 2015-06-02 Deviceauthority, Inc. Network access protection
US9119070B2 (en) 2009-08-31 2015-08-25 Verizon Patent And Licensing Inc. Method and system for detecting unauthorized wireless devices
US8745758B2 (en) * 2009-11-02 2014-06-03 Time Warner Cable Enterprises Llc Apparatus and methods for device authorization in a premises network
WO2014039047A1 (en) * 2012-09-07 2014-03-13 Nokia Corporation Methods and apparatus for network sharing control

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030220994A1 (en) * 2002-02-28 2003-11-27 Chunrong Zhu Wireless network access system and method
US20060137005A1 (en) * 2004-12-16 2006-06-22 Samsung Electronics Co., Ltd. System for and method of authenticating device and user in home network
US7568092B1 (en) * 2005-02-09 2009-07-28 Sun Microsystems, Inc. Security policy enforcing DHCP server appliance
US7574202B1 (en) * 2006-07-21 2009-08-11 Airsurf Wireless Inc. System and methods for a secure and segregated computer network
US20080209071A1 (en) * 2006-12-18 2008-08-28 Fujitsu Limited Network relay method, network relay apparatus, and network relay program
EP2667664A1 (en) * 2012-05-25 2013-11-27 Comcast Cable Communications, LLC Method and devices for providing access to public and private wireless networks

Also Published As

Publication number Publication date
KR20170013298A (en) 2017-02-06
AU2015265782B2 (en) 2018-12-06
US20170230350A1 (en) 2017-08-10
KR20170015340A (en) 2017-02-08
KR20170016878A (en) 2017-02-14
EP3151505A1 (en) 2017-04-05
MX2016015592A (en) 2017-07-13
US10257186B2 (en) 2019-04-09
EP3151506A1 (en) 2017-04-05
ES2673938T3 (en) 2018-06-26
US20170187703A1 (en) 2017-06-29
ES2552675B1 (en) 2016-10-10
AU2015265782A1 (en) 2016-12-22
EP3151505B1 (en) 2018-03-28
US20170195162A1 (en) 2017-07-06
EP3151144A1 (en) 2017-04-05
MX359691B (en) 2018-10-04
WO2015181431A1 (en) 2015-12-03
US10129246B2 (en) 2018-11-13
PT3151505T (en) 2018-06-29
CA2950677A1 (en) 2015-12-03
WO2015181430A1 (en) 2015-12-03
WO2015181429A1 (en) 2015-12-03

Similar Documents

Publication Publication Date Title
ES2552675B1 (en) Routing method with security and frame-level authentication
ES2337437B2 (en) S NETWORK INSURANCE BASED ON CONTEXTOPROCEDIMENT AND SYSTEM TO CONTROL WIRELESS ACCESS TO RESOURCE.
US7840763B2 (en) Methods and systems for achieving high assurance computing using low assurance operating systems and processes
CN107820604B (en) Para-virtualized security threat protection for computer driven systems with networked devices
ES2922413T3 (en) Protection of data in memory of a consumable product
ES2748912T3 (en) Device and procedure for managing the access rights to a wireless network
ES2947385T3 (en) Method and system to control the security of users who browse the Internet
US20120324533A1 (en) Wireless network having multiple security interfaces
US10878134B2 (en) Technologies for controlling memory access transactions received from one or more I/O devices
ES2687351T3 (en) Network flow control device and security strategy configuration method and device
US20150381610A1 (en) Location-based data security
Wang et al. Towards a security-enhanced firewall application for openflow networks
US11005852B2 (en) System and method for securing electronic devices
US11528270B2 (en) Network authorization in web-based or single sign-on authentication environments
Peters et al. BASTION-SGX: Bluetooth and architectural support for trusted I/O on SGX
Rios et al. From SMOG to Fog: a security perspective
CN103905402B (en) A kind of secret and safe management method based on safety label
BR112020020401A2 (en) DISABLED SECURE INTERFACE
US11165773B2 (en) Network device and method for accessing a data network from a network component
CN104579735A (en) Router security management method
KR102075514B1 (en) Network security unit for a vehicle
ES2514365T3 (en) Industrial automation system and method for its protection
ES2909011T3 (en) Systems and methods for receiving and transmitting communication signals
Rathod et al. Roll of distributed firewalls in local network for data Security
KR20170017860A (en) Network virtualization system based of network vpn

Legal Events

Date Code Title Description
PC2A Transfer of patent

Owner name: JOSE ANTONIO ENRIQUE SALPICO

Effective date: 20141009

PC2A Transfer of patent

Owner name: TECTECO SECURITY SYSTEMS, S.L.

Effective date: 20150624

FG2A Definitive protection

Ref document number: 2552675

Country of ref document: ES

Kind code of ref document: B1

Effective date: 20161010

FD2A Announcement of lapse in spain

Effective date: 20220701